tarcieri
commented
1 week ago Does it really need to be filed for both crates? If one pulls in the other, that’s sufficient.
Closed robertbastian closed 2 days ago
tarcieri
commented
1 week ago Does it really need to be filed for both crates? If one pulls in the other, that’s sufficient.
robertbastian
commented
1 week ago It's possible (but unlikely) to be in a setup of zerovec-derive@0.10.0 and zerovec@0.10.4. This is a vulnerable combination.
Edit: zerovec only pulls in zerovec-derive with the derive feature, that could be off with a client manually importing zerovec-derive.
Manishearth
commented
1 week ago @tarcieri the vulns are present in both crates independently: the derive macro doesn't enforce C, packed, and the manual impls in the zerovec crate also don't have C, packed.
cc @Manishearth